A Nanaimo cybersecurity expert was recently called upon to help shed light on cryptic information gleaned from a computer scientist about communications between the Trump presidential campaign and a Russian bank.
The computer scientist, who goes by the alias Tea Leaves, is one of just a few people worldwide entrusted with a list of nearly all the web servers in the world who hunt malware, programming such as viruses and other hostile software that can damage networks, disrupt communication and control systems, steal information or commit other malicious acts. Their work helps protect private users, businesses, governments, anyone connected to the Internet.
To communicate, the Internet uses a set of protocols called the Domain Name System or DNS – similar to street address or phone numbers – to ensure information is passed between its intended senders and recipients. In late July, some DNS data caught Tea Leaves’ eye that has led to reports in the news media suggesting an e-mail server owned by U.S. presidential candidate Donald Trump was in communication with Russia.
“What we’re seeing here is that Alpha Bank in Russia is doing lots and lots of these phonebook lookups for this [e-mail] server connected to the Trump organization,” said Christopher Davis, founder and CEO of Nanaimo-based cybersecurity firm HYAS InfoSec, who was called upon to consult on the data.
Davis received the U.S. Federal Bureau of Investigation’s Director’s Award in 2013 for bringing down an international network of more than 15 million computers, hijacked by malware to steal passwords, credit card numbers and personal data in 2009. His work helped prosecute a Slovenian and two Spaniards behind the scheme.
The Trump e-mail server appeared to be set up for mass marketing the Trump Card Privileges Program, but based on the data Davis looked at, the e-mail server appeared to be talking to only two places, an Alpha Bank server in Russia and another at U.S.-based Spectrum Health.
“If I’m setting up a marketing mail server, what kind of [poor] marketing am I doing if I’m only sending out marketing messages to two places?” Davis said. “Those are the questions I have and there’s no good answer for them. I don’t know what the answer is.”
Unfortunately, reading DNS data doesn’t reveal communication content. What it does reveal are patterns that can indicate whether communications are being sent automatically by malware or by people typing at keyboards. Davis thinks it’s the latter, but said he can’t draw any conclusions about who they are or what’s being communicated.
“There was like five of us that sort of went over this with a fine-tooth comb and looked at it pretty deeply. There’s a bunch of weirdness to it that doesn’t match anything in my 20 years, 25 years of doing IT that I’ve ever seen before,” Davis said. “It’s just that I’ve never seen anyone set up to send spam to two people. It’s kind of a ridiculous thing to do.”